Refresh tokens have same expiration as access tokens?

ppk · May 20, 2020, 7:54am

Hi guys,

Having some trouble with refresh tokens, could I confirm my findings are as expected?

Refresh tokens have the same expiration (exp) time as access tokens according to the introspect endpoint
A successful call to /oauth2/revoke for an access token also deactivates the refresh token

If the above is expected, is there some configuration that allows for refresh tokens that don’t expire?

Version: v1.0.0-beta.9
Git Hash: f359d0809badec1219d4678afe54ae628b0bdf70
Build Time: 2018-09-01T13:28:52Z

Thanks for hydra, it seems like a perfect fit for our use-case!

PPK

hackerman · September 9, 2018, 3:24pm

Refresh tokens do not have an expire time. The response from introspection is a bug (please create an issue on github!). Refresh tokens are invaldiated with acces tokens on revolation.

ppk · September 9, 2018, 3:45pm

Bug reported here: https://github.com/ory/hydra/issues/1025

Thanks for the clarification